Dear Clients,
We are issuing this advisory regarding a critical security vulnerability (CVE-2026-41940) identified in cPanel & WHM. This vulnerability has been actively exploited in the wild and may allow unauthorized access to affected servers.
Official Advisory:
https://support.cpanel.net/hc/en-us/articles/40073787579671-Security-CVE-2026-41940-cPanel-WHM-WP2-Security-Update-04-28-2026
Incident Overview
Based on industry reports and observed cases, attackers are:
• Scanning for unpatched cPanel servers
• Gaining unauthorized access via authentication bypass
• Deploying a malicious binary (commonly named nuclear.x86)
• Executing it, removing traces, and re-running it periodically
• Performing full system reconnaissance and data access
Potential Impact
If a server was exposed or compromised, the following must be assumed at risk:
• Root/server access credentials
• SSH private keys and authorized access
• Password hashes (including system and database)
• Command history and environment data
• Website/application credentials stored on the server
Note: Website files and databases may appear intact, but hidden access or backdoors may still exist.
Immediate Actions Required
1. Update cPanel Immediately
/scripts/upcp --force
If immediate update is not possible, temporarily disable access:
whmapi1 configureservice service=cpsrvd enabled=0 monitored=0 &&
whmapi1 configureservice service=cpdavd enabled=0 monitored=0 &&
/scripts/restartsrv_cpsrvd --stop &&
/scripts/restartsrv_cpdavd --stop
2. Check for Active Malware
pkill -9 -f "nuclear.x86"
ps auxf | grep -i nuclear
Verification:
wget google.com
If the response shows “Killed”, malware may still be active.
3. Rotate All Credentials
Immediately update:
• WHM/cPanel passwords
• SSH keys (regenerate and replace everywhere)
• FTP/SFTP accounts
• Email accounts
• Database credentials
• API keys, SMTP credentials, webhooks
• CMS/admin panel logins
4. Audit for Unauthorized Access
Carefully review:
• Cron jobs
• FTP accounts
• Email forwarders
• SSH authorized keys
• Recently modified or unknown files (especially in public_html)
Important Considerations
• This is a system-level security issue, not limited to cPanel UI or license
• Even if malware is not currently detected, prior exposure may still result in compromise
• Partial cleanup may not fully eliminate hidden access mechanisms
Recommended Action
For maximum security and long-term stability:
• Perform a full OS reinstallation and fresh cPanel setup
• Restore only verified clean backups
• Apply updates and security hardening before going live
We strongly advise all clients to take this advisory seriously and act immediately to secure their servers.
